Webcams as Weapons: Hackers Exploit the Internet of Things to Launch a Massive DDoS Attack

Whether you were impacted by it or not, you’re probably aware that a major attack occurred on Oct. 21 which interrupted traffic for many popular websites, including Twitter, Netflix, CNN, Reddit and Pinterest. The efforts to bring down these sites were not aimed directly at any of the nearly 80 websites it brought down, but against an Internet domain name system (DNS) company called Dyn in the form of a massive, sustained distributed denial of service (DDoS) attack. A DNS acts as the “middleman” which helps make sure that when you type in a website’s address into your browser, you are connected to the correct website. As a result of the three-hour attack on Dyn, many websites were either completely unavailable or loading slowly for users. At the heart of this DDoS attack is the Internet of things (IoT), as it has been revealed that the hackers carried out their attack by hijacking thousands of webcams, DVRs and other Internet-connected devices in ordinary people’s businesses and homes. This has led to a global conversation about the potential risks presented by IoT devices, and we’ve outlined what you need to know about this attack, what the IoT has to do with it and how you can protect yourself.

What is a DDoS attack?

In a DDoS attack, the perpetrators use hijacked computers or other Internet-connected devices that they’ve taken control of to flood a specific website or server with “junk” web traffic. This causes the target to be become inaccessible to people actually trying to use it, either bringing the site (or sites, as in this case) down entirely or causing it to move very slowly. These kinds of attacks are not new — they’ve been around practically since the dawn of the Internet — but they are becoming more sophisticated, research shows. DDoS attacks are also valued by cybercriminals because they are relatively easy to pull off yet have the capability to cause plenty of damage (as the Dyn attack proved).

How was this attack carried out?

This attack is particularly notable because of the way it used IoT devices to do its bidding. Researchers have determined that this attack used a malware strain known as Mirai to hijack people’s webcams, DVRs, routers and other Internet-connected devices. This malware, which was made available by its creator for anyone to use, works by scanning the web for IoT devices that are either unprotected or using weak, highly-public factory default passwords. It then takes them over and uses them for DDoS attacks. A great many of the devices hijacked in this attack contain electronics components made by a Chinese company called XiongMai, which are protected by a default password that enables easy hijacking by malware. XiongMai has released a statement recalling thousands of webcams and other devices containing these vulnerable components — but security experts like Brian Krebs have pointed out that the issues which led to these particular devices being compromised are widespread within the IoT sphere.

Who’s responsible?

Initially, security experts and government officials alike had no idea who was behind the attack, as no one came forward to lay claim. President Obama, during a Monday night appearance on Jimmy Kimmel Live! said the U.S. government had no information on who was responsible. Some people speculated that it could be a state-sponsored actor, possibly Russian, as there have been a number of Russian-backed hacks of American computer systems recently — most notably the infiltration of the Democratic National Committee. However, as of Oct. 25, analysis by security company Flashpoint has determined that the massive DDoS attack was carried out by hackers based out of an English-language hacker forum. These types of hackers are sometimes referred to as “script kiddies,” and are different from hacktivists that seek to promote a political or social cause with their actions. Though the motives are different, hackers are still cybercriminals, and this attack caused major damage as well as highlighted the potential for disaster that unsecured IoT devices bring to the table.

What does this mean for the average consumer?

The most important lesson for consumers to take from this debacle is that IoT devices, while convenient and trendy, pose a legitimate threat to our overall security. Smart devices are hitting consumer markets without much security behind them, something that has led to some pretty scary consequences — like baby monitors and webcams being used to scare parents or spy on unsuspecting victims. Therefore, a ton of IoT devices on the market are designed with insufficient security, making them inherently dangerous. While some of the issue is user error — many people fail to change the default password and username that their devices come with or change it to something easily crackable — in many ways, there’s nothing users can do to protect themselves. This is because even if you change the default password, there’s a chance hackers could break into your devices using alternate methods, as explained by Krebs.

How can I protect myself?

There are a few important truths everyone should know about IoT devices, which we wrote about earlier this year, but some tips bear repeating. It’s imperative that you always change your passwords anytime you get a new device that connects to the Internet. If you aren’t sure whether there’s a password to change or how to do so, you can always contact tech support or read the documents that come with a product. Additionally, making sure that you’ve got extra security in the form of strong passwords for the network(s) that you connect devices to is equally important. Always use a password-protected Internet connection whether you’re at work, at home or on the go. You should make sure to check for and run updates to your devices and software, as well, since these often contain crucial updates which can patch any known security holes to prevent cybercriminals from gaining access to your IoT products. And, lastly, pay attention for recalls of IoT devices — you may see more and more as these types of hacker attacks become commonplace and the companies producing them realize more security measures are necessary to keep their customers safe.

Like it or not, we’re all connected more than ever these days, and those ever-present connections can bring plenty of headaches. Keep up with all the latest news and tips for keeping yourself protected by following our technology blog.

Leave a Reply

Thank you for your comment! It's currently being reviewed by our editors.

About Author

Jocelyn Baird

Jocelyn is a NextAdvisor.com writer with a love for coffee, reading and all things personal security. She currently covers identity theft, credit monitoring and credit cards. She has been a guest on several radio shows nationwide and her cybersecurity and personal finance expertise have been featured by Forbes, USA Today, Kiplinger's Personal Finance, The Huffington Post and more. She is a graduate of Syracuse University with a dual degree in Writing and Rhetorical Studies and Anthropology. Follow her on Twitter @JocelynAdvisor.

Advertiser Disclosure: NextAdvisor is a consumer information site that offers free reviews and ratings of online services. Many of the companies whose services we review provide us compensation when someone who clicks from our site becomes their customer. This is how we make money to support our site. The results of our analyses, calculators, reviews and ratings are based on objective quantitative and qualitative evaluation of all the cards on our site and are not affected by any compensation NextAdvisor may receive. Compensation may impact which products we review and write about and where those products appear. We do not review all products in a given category. All opinions expressed on this site are our own.